The hugely popular FaceApp, which allows people to make themselves look old, could be a national security risk and the FBI must open an investigation into the app, according to a senior leader in the US Congress.
Investigators should work to understand the privacy and safety risks posed by the viral app, said US Senate minority leader Chuck Schumer.
The app could have put millions of citizens at risk, he said. He suggested that the fact the app is owned by a company based in Russia might mean that it being used for nefarious geopolitical ends.
It comes as presidential candidates were instructed to delete the app immediately by Democrat security chief Bob Lord.
There is no evidence that FaceApp provides user data to the Russian government. While it is run out of Russia, FaceApp claims that no information about users' photos is actually passed through servers in the country.
Democrats have invested heavily in bolstering party cyber defenses after U.S. intelligence agencies determined that Russia used hacking as part of an effort to boost support for President Donald Trump's 2016 election campaign. Russia has repeatedly denied those claims.
FaceApp, which was developed by Wireless Lab, a company based in St. Petersburg, says on its website that it has over 80 million active users. Its CEO, Yaroslav Goncharov, used to be an executive at Yandex, widely known as "Russia's Google."
The app, which was launched in 2017, made headlines in 2018 when it removed its 'ethnicity filters' after users condemned them as racist.
More recently, it has faced scrutiny from the public over issues such as not clearly communicating that the app uploads images to the cloud rather than processing them locally on a user's device.
It is not clear how the artificial intelligence application retains the data of users or how users may ensure the deletion of their data after usage, Schumer said in the letter.
Schumer said the photo editing app's location in Russia raises questions about how FaceApp lets third parties, including foreign governments, have access to the data of American citizens.
In a statement cited by media outlets, FaceApp has denied selling or sharing user data with third parties.
"99% of users don't log in; therefore, we don't have access to any data that could identify a person," the company said in a statement, adding that most images are deleted from its servers within 48 hours of the upload date.